Opened 37 minutes ago
Last modified 23 minutes ago
#37209 assigned Bug
`UserAttributeSimilarityValidator` uses unordered string comparison
| Reported by: | Terence Honles | Owned by: | Terence Honles |
|---|---|---|---|
| Component: | contrib.auth | Version: | |
| Severity: | Normal | Keywords: | |
| Cc: | Terence Honles | Triage Stage: | Unreviewed |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
UserAttributeSimilarityValidator only uses the SequenceMatcher.quick_ratio method (which uses an unordered comparison of two strings and is only intended to be used as an upper bound)
This causes what I would consider "false positives" for strings that are not actually similar (any anagram will produce a ratio of 1 (exactly equal)).
I discovered this because we had a flaky test in our CI (with a user having attributes generated using Faker) and I finally spent some time to investigate the flaky test. The two strings (lowercased) were "andrews" and "new-password", which lead me to wonder how those could be considered 70% similar.
I have added a test with the anagrams: "enumerations" & "mountaineers"
The
SequenceMatcher'squick_ratiomethod has been used since the validators were added to Django in v1.9 (1daae25bdcd735151de394a5578c22257e3e5dc7), and since my PR was automatically closed, here's the same patch